Governance-Risk-and-Compliance

Risk assessment evaluates likely harm, exposure, and control context so security decisions and remediation priorities are grounded in actual risk.

Residual risk is the risk that remains after security controls and mitigation steps have already been applied.

Segregation of duties is the control principle of dividing critical tasks so one person does not control every step of a sensitive process.

An audit log is a record of relevant actions and events that helps organizations review activity, support investigations, and demonstrate accountability.

A compliance framework is a structured set of requirements or control expectations used to guide and assess security and accountability practices.

Data classification is the practice of labeling data by sensitivity or importance so controls and handling requirements can match the risk.

A risk register is the structured record used to track identified risks, their status, ownership, and planned treatment.

A compensating control is an alternative safeguard used to reduce risk when the preferred or standard control is not fully available.

A security baseline is the standard minimum set of security settings or controls expected for a system, device, or environment.

Exception management is the process for documenting, reviewing, approving, and tracking departures from a standard security requirement or baseline.

A vendor assessment evaluates the security implications of relying on a third party, supplier, or service provider.

Change management is the controlled process for planning, approving, implementing, and reviewing changes that could affect systems or security.

A security policy is a formal statement of the rules, expectations, and principles an organization uses to guide security decisions and behavior.

An acceptable use policy defines the rules for how employees, contractors, or other users are allowed to use organizational systems, accounts, devices, and data.

Risk treatment is the decision about what an organization will do about an identified security risk.

A control objective is the specific security outcome a control is supposed to achieve.

A policy exception is an approved departure from a normal security requirement, usually with conditions, risk acknowledgment, and a time limit.

An asset inventory is the maintained record of the systems, devices, applications, identities, and other resources an organization needs to track and protect.

Third-party risk is the security risk introduced by vendors, service providers, partners, contractors, and other outside parties that connect to the organization or handle its data.

Security awareness training is the ongoing education that helps users recognize security risk, follow safer behavior, and report suspicious activity.

Vendor risk management is the ongoing process of evaluating, monitoring, and reducing the security risk introduced by third-party vendors and service providers.

Risk appetite is the general amount and type of risk an organization is willing to accept in pursuit of its objectives.

Control mapping is the process of linking security controls to specific risks, policies, standards, or compliance requirements they are meant to address.

Log retention is the policy and practice of keeping security-relevant logs for a defined period so they remain available for monitoring, investigation, and evidence needs.

Shadow IT is the use of technology systems, services, applications, or infrastructure outside the organization’s approved security and governance processes.

Data loss prevention is the combination of policies and controls used to reduce the chance that sensitive data is exposed, moved, or shared in ways the organization did not intend.

Security debt is the accumulated burden created when security improvements, hardening, or design cleanup are deferred and the unresolved issues continue to add risk over time.